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Abstract — We prove that nested lattice codes can achieve 
semantic security and strong secrecy over the Gaussian wiretap 
channel. The liey tool in our proof is the flatness factor which 
characterizes the convergence of the conditional output distribu- 
tions corresponding to different messages and leads to an upper 
bound on the information leakage. We not only show the existence 
of lattice codes that are good for secrecy, but also propose the 
flatness factor as a new design criterion. Both the modulo- 
lattice Gaussian channel and the genuine Gaussian channel 
are considered. In the latter case, we propose a new secrecy 
coding scheme based on the discrete Gaussian distribution over 
a lattice, which achieves the secrecy capacity to within a half nat 
under mild conditions. No a priori distribution of the message is 
assumed, and no dither is used in our proposed schemes. 

Index Terms — lattice coding, physical layer security, strong 
secrecy, semantic security, wiretap channel. 



L Introduction 

The idea of information-theoretic security stems from 
Shannon's notion of perfect secrecy. Perfect security can 
be achieved by encoding an information message M (also 
called plaintext message), belonging to a finite space M., 
into a codeword or ciphertext Z, belonging to a discrete or 
continuous space Z, in such a way that the mutual information 
I(M; Z) =0. However, perfect security is impractical because 
it requires a one-time pad. 

In the context of noisy channels, Wyner ^ proved that 
both robustness to transmission errors and a prescribed de- 
gree of data confidentiality could simultaneously be attained 
by channel coding without any secret key. Wyner replaced 
Shannon's perfect secrecy with the weak secrecy condition 
lim„_j.oo Z" ) — 0, namely the asymptotic rate of leaked 

information between the message M and the channel output Z" 
should vanish as the block length n tends to infinity. 
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Unfortunately, it is still possible for a scheme satisfying 
weak secrecy to exhibit some security flaws, e.g., the total 
amount of leaked information may go to infinity, and now 
it is widely accepted that a physical-layer security scheme 
should be secure in the sense of Csiszar's strong secrecy 
lim™II(M;Z") =0 [2]. 

In the notion of strong secrecy, plaintext messages are often 
assumed to be random and uniformly distributed in M.. This 
assumption is deemed problematic from the cryptographic 
perspective, since in many setups plaintext messages are not 
random. This issue can be resolved by using the standard no- 
tion of semantic security Q] which requires that the probability 
that the eavesdropper can guess any function of the message 
given the ciphertext should not be significantly higher than the 
probability of guessing it using a simulator that does not have 
access to the ciphertext. The relation between strong secrecy 
and semantic security was revealed in [4] for discrete wiretap 
channels, namely, achieving strong secrecy for all distributions 
of the plaintext messages is equivalent to achieving semantic 
security. 

Explicit wiretap codes achieving strong secrecy over dis- 
crete memory less channels have been proposed in ['s', ^6^. In 
particular, polar codes in [6J also achieve semantic security 
(although this was implicit in (@]). For continuous channels 
such as the Gaussian channel, the problem of achieving strong 
secrecy has been little explored so far and the design of 
wiretap codes has mostly focused on the maximization of the 
eavesdropper's error probability [7]. Recently, some progress 
has been made in using nested lattice codes over Gaussian 
wiretap channels flllt]. It is quite natural to replace Wyner' s 
random binning with coset coding induced by a lattice partition 
Ae C Afe. The secret bits are used to select one coset of the 
coarse lattice Ae and a random point inside this coset is trans- 
mitted. Explicit wiretap lattice codes from an error probability 
point of view were proposed in ifioll . which also introduced 
the notion of secrecy gain and showed that the eavesdropper's 
error probability lim„^oo Pe = ^ for even unimodular lattices. 



These lattice codes were further investigated in 111 111 . Finally, 
in 1I12I1 the existence of lattice codes (based on the ensemble 
of random lattice codes) achieving the secrecy capacity under 
the weak secrecy criterion was demonstrated. 

Main Contributions 

In the present work, we prove that lattice codes can achieve 
strong secrecy and semantic security over (continuous) Gaus- 
sian wiretap channels. 

Firstly, we follow Csiszar's idea 101 to show that strong 
secrecy is guaranteed if the conditional output distributions 



2 



corresponding to different messages converge to the same 
distribution in the sense of distance (also sometimes 
referred to as variational distance or statistical distance). This 
allows us to extend the relation between strong secrecy and 
semantic security to continuous wiretap channels. More 
precisely, we derive a bound on the mutual information in 
terms of the variational distance for continuous channels. 

More importantly, we propose the flatness factor of a lattice 
as a fundamental criterion which guarantees convergence of 
conditional outputs and characterizes the amount of informa- 
tion leakage. This leads to defining a notion of lattices that are 
"good for secrecy", similarly to the notions of good lattices 
which have been proposed for coding problems. Following 
the approach of Loeliger ifisll . we then show the existence of 
infinite families of secrecy-good lattices which can be obtained 
by lifting linear codes over finite fields using Construction 
A. To establish this proof, we introduce a modified version 
of Loeliger's Minkowski-Hlawka theorem, which allows to 
average a non-compactly supported function over a lattice 
ensemble. 

Before tackling the problem of coding for the Gaussian 
wiretap channel, and to gain useful insights, we consider a 
simplified scenario, the mod- A wiretap channel, and show the 
existence of nested lattices which guarantee strong secrecy 
against eavesdroppers and reliability for the legitimate receiver 
at the same time. The analysis of the mod-A channel was a key 
element in the proof that lattice coding and decoding achieve 
the capacity of the additive white Gaussian noise (AWGN) 
channel in lll4[_ 1511. The mod-A wiretap channel was already 



considered in |18|] in the context of secrecy with noisy feedback, 
where it was suggested that finding good wiretap codes for 
this model can give significant insight to solve the AWGN 
case. However, as observed in |8] and |9], transferring these 
techniques from the modulo-A case to the AWGN case is not 
trivial since the modulo structure helps to conceal information 
from the eavesdropper We solve this difficulty by employing 
lattice Gaussian signaling for the Gaussian wiretap scenario. 
More precisely, the distribution of each bin in our wiretap code 
is a discrete Gaussian distribution over a coset of a secrecy- 
good lattice. Non-uniform signaling for AWGN channels using 
discrete Gaussian inputs was already used in [16], where it 
was shown that such inputs are optimal in terms of shaping 
gains. Our contribution is to use the flatness factor to show that 
discrete Gaussian signaling over good lattices can approach 
the secrecy capacity of the Gaussian wiretap channel up to a 
constant gap of ^ nat (under very mild assumptions) by using 
a minimum mean-square error (MMSE) filter at the legitimate 
receiver 

The proposed approach shows a couple of salient features. 
Firstly, throughout the paper, we do not make any assumption 
on the distribution of the plaintext message M, i.e., the security 
holds for any particular message. Thus, similarly to 101, 
we prove that lattice codes can achieve semantic security. 
Secondly, in contrast to what is nowadays the common practice 
of lattice coding 11511 . we do not use a dither This may 
simplify the implementation of the system. 



Relations to Existing Works 

Relation to secrecy gain: Given the fundamental volume of 
a lattice, a small flatness factor requires a small theta series, 
which coincides with the criterion from |10] for enjoying a 
large secrecy gain. Thus, although different criteria are adopted 
in [10.] and in this paper, they are in fact consistent with each 
other. 

Relation to resolvability : In llTl llSll . a technique based on 



resolvability was suggested to obtain strong secrecy, which 
uses a binning scheme such that the bin rate is above the 
capacity of the eavesdropper's channel. We will show this is 
also the case for the proposed lattice scheme. 

Relation to lattice-based cryptography: Lattice-based 
cryptography [19] aims at realizing classical cryptographic 
primitives, such as digital signatures and public -key encryption 
schemes, that are provably secure under algorithmic hardness 
assumptions on worst-case lattice problems, such as variants 
of the decisional shortest vector problem. In the present work, 
we propose an encryption scheme for the Gaussian wiretap 
channel that involves lattices, but the security is proven 
without algorithmic hardness assumptions. 



Organization 

Section II studies the relation between semantic security 
and strong secrecy for continuous wiretap channels. In Section 
III, we review lattice Gaussian distributions and propose the 
flatness factor Sections IV and V address the mod-A channel 
and the Gaussian wiretap channel, respectively. In Section VI, 
we conclude the paper with a brief discussion of open issues. 

Throughout this paper, we use the natural logarithm, de- 
noted by log, and information is measured in nats. We use 
the standard asymptotic notation f {x) — 0{g{x)) when 
limsup^_^^ |/(x)/5(x)| < oo, f [x) = n{g{x)) when 
limsup^^^ |.g(a;)//(a;)| < oo, and J {x) = o{g{x)) when 
limsup^^^ |/(a;)/.9(a;)| = . 

II. Strong secrecy and semantic security in 

CONTINUOUS CHANNELS 

In this section, we investigate the relation between strong 
secrecy and semantic security in continuous wiretap channels. 
In particular, we extend the results of Section 3 of [4J to such 
channels. The results are general and apply to more than lattice 
codes. 

A. Wiretap Codes 

In this section we briefly recall some basic definitions for 
the wiretap setting. For a general introduction to continuous 
wiretap channels, we refer the reader to 21 1. 

Consider an n-dimensional continuous memoryless wiretap 
channel with input X" and outputs Y", Z" defined by the i.i.d. 
conditional distributions: 



PY"ix"(y|x) = ]^Px|Y(2/i|2;j), 

i=l 
n 

Pz"|X"(z|x) = J|pz|x(2*|a;0 
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for the legitimate receiver and the eavesdropper respectively. 
The random variables X",Y",Z" take values in R". The 
channel input is subject to an average power constraint P: 



n 



< P. 



(1) 



Definition 1 (Wiretap code). An {R, R' , n) wiretap code 
for the channel defined above is given by a message set 



Mr 



{1,.. 



}, an auxiliary discrete random source S 



of entropy rate R' taking values in Sn, an encoding function 
fn : MnX Sn — > K" and a decoding function gn : M" —^A4n 
for the legitimate receiver Let X" = /„(M, S) be the channel 
input for a distribution M of messages, and M = gnC^") the 
estimate of the legitimate receiver The channel input X" must 
satisfy the average power constraint (|7}, with respect to M 
chosen as the uniform distribution and to the randomness 
source S. Alternatively, one can impose a more stringent 
average power constraint on each individual bin (without 
assuming M is uniformly distributed): 



Vrn e Mn, 



1_ 



-Es 



/n(m,S)|| 



< P. 



(2) 



We denote by C„ — fn{Mn, Sn) the set of codewords and by 
C„(m) — fn{m,Sn) the "bin" corresponding to the message 
m e Mn- 

Incidentally, the proposed lattice codes will satisfy the 
individual power constraint. 

Remark 1. Note that we do not impose the randomness 
set Sn to be finite. In fact, in the scheme of Section V, the 
encryption algorithm is Las Vegas and may require arbitrarily 
many random bits (although with extremely small probability). 
It is possible to modify this scheme for limiting the number of 
requested random bits, but this modification is cumbersome. 
The principle is as follows. As the distribution of the required 
number of random bits has a very small tail (similar to a 
Gaussian distribution), one could fix an a priori bound to 
the number of requested bits and abort the algorithm and 
return an arbitrary value if that bound is reached. Since the 
output distributions of the original and modified encryption 
algorithms are statistically very close, properties that hold for 
the original scheme still hold for the modified scheme. 

B. Strong Secrecy and Semantic Security 

In what follows we will consider both continuous and 
discrete random variables as well as mixed pairs of discrete 
and continuous random variables. Let X, Y be continuous 
random variables taking values in R" with densities px and py 
respectively, and M , M discrete random variables taking values 
in a finite set A^„, with probability mass functions J3m,Pm- 
Let pxM (x, to) be the joint hybrid density of the mixed 
pair (X, M): that is, Vto G Mn, Pxm(-,to) is the density 
corresponding to the probability measure /i,„(A) = P{M = 
m,X£ A} for all measurable sets A C R". 

Definition 2 (Kullback-Leibler divergence and mutual in- 
formation). The Kullback-Leibler divergence of the contin- 
uous distributions px and py is defined as D(px||py) = 



/rti Pxi^) log dx. Similarly, for discrete distributions Pm 

and p^ we define D(pm||Pm) = EmeA^„ M log 
The mutual information between X, Y is defined by 

I(X;Y) =©(pxYbxPY). 

We now recall the notion of variational distance or sta- 
tistical distance between two distributions. Note that in the 
literature the variational distance is sometimes scaled by a 
factor i. We choose normalization factor 1 so that it matches 
with the distance between distributions. 

Definition 3 (Variational distance). Let p and q be two discrete 
distributions on a finite set M. Then the variational distance 
between p and q is 

V(p,g)^5]b(a;)-q(x)|. 

Similarly, for continuous distributions with densities p and q, 
the variational distance is defined by 



Yip,q) 



\p{x) - q{x)\ dx. 



With the definitions given above, we are ready to introduce 
strong secrecy and semantic security. 

Definition 4 (Achievable strong secrecy rate). The message 
rate R is an achievable strong secrecy rate there exists a 
sequence of wiretap codes {C„} of rate R such that 



P{M ^ M} ^ 0, 
I(M;Z") ^ 



(reliability) 
(strong secrecy) 



when n — >■ oo. 



In the definition of strong secrecy for communications, no 
special attention is paid to the issue of message distribution. 
In fact, a uniform distribution is often assumed in the coding 
literature. But this is insufficient from a cryptographic view- 
point, as it does not ensure security for a particular message. 
To address this issue of the wiretap code, we need to ensure 
the mutual information vanishes for all message distributions: 



Adv'"''(Z") 



maxl(f' 



; Z") ^ 



(3) 



when n — cxD. The adversarial advantage Adv™"* tending 
to zero was termed mutual information security in lH. In 
this paper, the terms mutual information security and strong 
secrecy for all message distributions are used interchangeably. 
Note that one may further impose constraints on the rate 
of convergence towards 0; in practice an exponential rate of 
convergence is desired. 

Let the min-entropy of a discrete random variable M be 



Hco(M) = - log (^maxP{M ^ m}j , 
and the conditional min-entropy of M given U be 



Hoo(M|U) 



'{U li}Hoo(M|U = u). 
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Definition 5 (Semantic security). A sequence of wiretap 
codes {Cn} achieves semantic security if 

Adv-(Z") ^ sup (e-H~(/(^^)|z") _ e-^^Um)\ ^ q 

w/ien n —> cx). The supremum is taken over all message 
distributions pM and all functions f of M taking values in 
the set {0, 1}* of finite binary words. 

Semantic security means that, asymptotically, it is impossi- 
ble to estimate any function of the message better than to guess 
it without considering Z" at all. We also define distinguishing 
security, which means that, asymptotically, the channel outputs 
are indistinguishable for different input messages. 

Definition 6 (Distinguishing security). A sequence of wiretap 
codes {Cn} achieves distinguishing security if 



Adv'^''(Z") ^ maxV(pz"|M=m,PZ"|M. 



0, (4) 



when n — > oo. The maximum in the previous equation is taken 
over all messages m, m' G Mn- 

As for the discrete wiretap channel setup considered in 
the classical proof of equivalence between semantic security 
and distinguishing security jstl can be readily adapted and it 
can be shown thau 

2Adv""(Z") < Adv'^"(Z") < 4Adv''''(Z"). (5) 

Even though the two definitions are equivalent, distinguishing 
security often turns out to be technically easier to manipulate. 

C. Equivalence 

We will show that semantic security and strong secrecy 
for all message distributions are equivalent for continuous 
channels. This is an extension of the results from Section 3 

of y]. 

We first need the following continuous channel adaptation of 
Csiszar's in |2, Lemma 1]. The lower bound is a consequence 
of Pinsker's inequality (see |22, pp. 58-59]). The proof of the 
upper bound is similar to the discrete case and is given in 
Appendix IT] 

Lemma 1. Let Z" be a random variable defined on R" 
and M be a random variable over a finite domain Ain such 
that \Mn\ > 4. Then 

\Mn\ 



1 



df, <I(M;Z")<davlog- 



where 



meMn 



is the average variational distance of the conditional output 
distributions from the global output distribution. 

We now prove the equivalence between semantic security 
and strong secrecy for all message distributions via distin- 
guishing security. 

'Note that the factors in |4] are 1 on the left and 2 on the right, respectively, 
due to the factor ^ used in the definition of the variational distance in 01 ■ 



Tlieorem 1. a) A sequence of wiretap codes {C„} of 
rate R which achieves semantic security with advantage 
Adv'^''(Z") — o(i) also achieves strong secrecy for all 
message distributions: ^pu, 

I(M; Z") < Adv""='(Z") < e„ {nR - loge„) , 

where En — Adv'^^(Z"). b) A sequence of wiretap codes {C„} 
which achieves strong secrecy for all message distributions 
also achieves semantic security: 

Adv'^"(Z") < 2V2Adv'°''^(Z»). 

Proof: 

(a) Distinguishing security strong secrecy for all message 
distributions: For any m € A^,i, we have 



V(pZ"|M=m,PZ") 

PZ"|m(z|»77.) 



PM(m')pz"|M(z|"T-') 



= / I X! Pm(to') (pz"|m(z|™) -Pz"|m(z|™')) 

< max V(pz"|M=m,PZ"|M=m') 

- "1^^,. V(pz"|M=m',PZ"|M=m") = 

Therefore < £«■ By Lemma [1] we obtain 

\M.a\ 



dz 



I(M;Z")<e„log- 



En-nR - En log£„. 



If Adv<^''(Z") = o(i), then I(M; Z") ^ 0. 

(b) Strong secrecy for all message distributions => dis- 
tinguishing security: Let m G 7W„ be arbitrary. If strong 
secrecy holds for all distributions, then in particular it holds 
for the distribution p„i defined by p,„(m') = 1 \i m — m' 



and otherwise. Now, Pinsker's inequality (see 11221 pp.58 



59]) asserts that Y{p,q) < ^23{p\\q) for any distributions p 
and q. We thus have: 

V(p(Z",m),PZ"Pm) 

= / |P(Z",m)(z,™') --PZ"(z)pm(m')| dz 

= |pz"|M=m(z) -PZ"(z)| dz 

< v/2I(m;Z"). 
The strong secrecy assumption implies that: 

V(pZ"|M=m,PZ") = / |pZ"|M=m(z) -PZ"(Z)| dz ^ 0. 

Using the triangular inequality 

V(pz"|M=m,J 



,PZ"|M=m') 

< V(pz"|M=m, 



PZ") + V(pz"|M=m',PZ"), 



we obtain distinguishing security. □ 
Note that Lemma 2 in (5] also holds: For any distribu- 
tion gz" on R", we have 

\M=rm 9Z" )■ (6) 
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Together with Lemma \T\ this leads to an upper bound on 
the mutual information, in case we can approximate Pz"|M=m 
by a density that is independent of to. 

Lemma 2. Suppose that for all n there exists some density gz" 
in M" such that V(]3zn|M=m) 92") < £n, for all to G A^n- 
Then we have dav < 2e„ one/ io 



B. Lattice Theta Series 



I(M;Z") < 2e„ni?-2e„log(2e„). 



(7) 



In the rest of this paper, we will use lattice codes to achieve 
semantic security. 



III. Lattice Gaussian distribution and flatness 

FACTOR 

In this section, we introduce the mathematical tools we will 
need to describe and analyze our wiretap codes. 



A. Preliminaries on Lattices 

An n-dimensional lattice A in the Euclidean space R" is a 
set defined by 

A = £ (B) = {Bx : X e Z"} 

where the columns of the basis matrix B = [bi • • • b„] are 
linearly independent. (In this work, we will restrict ourselves 
to full-rank lattices.) The dual lattice A* of a lattice A is 
defined as the set of vectors v S R" such that (v, A) G Z, for 



all A e A (see, e.g., ||23[1 ). 

For a vector x, the nearest-neighbor quantizer associated 
with A is (5a(x) = argmin^igA We define the modulo 

lattice operation by x mod A = x — Q\{x.). The Voronoi 
cell of A, defined by V(A) = {x : (5a(x) — 0}, specifies 
the nearest-neighbor decoding region. Important quantities 
for V(A) include the cell volume V{A) — /y^^) '^e second 
moment per dimension (T^(A) — ,^y(^^\^ /v(A) ll-'^ll^'^-''- ^^'^ 
the normalized second moment G{A) = a^{A)/V{A)i . The 
minimum of GfA) of all the n-dimensional lattices is denoted 
as Gn- From [24, p. 58], we have G„ > l/(27re) for all n, and 
lim„_j.oo Gn — l/(27re). The Voronoi cell is one example of 
fundamental region of the lattice. A measurable set TZ C M" 
is a fundamental region of the lattice A if U\^\{TZ + \) = M" 
and if (7^ + A) n (7^ + A') has measure for any A 7^ A' in A. 
The volume of a fundamental region is equal to that of the 
Voronoi cell V{A). 

For a (full-rank) sublattice A' C A, the finite group A/ A' 
is defined as the group of distinct cosets A + A' for A e A. 
The lattices A' and A are often said to form a pair of nested 
lattices, in which A is referred to as the fine lattice while A' 
the coarse lattice. The nesting ratio is equal to V{A')/V{A). 

Some background on lattices that are good for channel 
coding, and have been shown to approach the capacity of the 
Gaussian channel, is provided in Appendix HI] This includes 
definitions of Rogers, quantization and AWGN-goodness. 



The theta series of A (see, e.g., 112411 ) is defined as 



AeA 



(8) 



where q = eJ^^ (S(z) > 0). Letting z be purely imaginary, 
and assuming r ~ > 0, we can alternatively express the 
theta series as 



eA(r) 



-Trrll All 



(9) 



In Ill3[l . Loeliger derived a version of the Minkowski- 
Hlawka theorem based on the averaging over Construction-A 
lattices. We adapt his method to derive the average behavior of 
the theta series for Construction A. Loeliger's derivation has 
a restriction in that it requires a function of bounded support, 
which is not the case for the Gaussian function associated with 
the theta series. This restriction is circumvented here. 

For integer p > 0, let Z" — > Z^ : v 1— > v be the element- 
wise reduction modulo-p. Following |13], consider mod-p lat- 
tices (Construction A) of the form Ac = {v e Z" ; v e C}, 
where p is a prime and C is a linear code over Zj,. In the 
proof, scaled mod-p lattices a Ac = {av : v G Ac} for some 
a e M+ are used. The fundamental volume of such a lattice is 
V{aAc) — a"p"~'"', where n and k are the block length and 
dimension of the code C, respectively. A set C of linear codes 
over Zp is said to be balanced if every nonzero element of Z^ 
is contained in the same number of codes from C. In particular, 
the set of all linear (n, k) codes over Zp is balanced. 

Lemma 3 (Average behavior of theta series). Let C be any 

balanced set of linear (n, k) codes over Zp. Then, for < 
k < n, for a^p"^^^ = V and t fixed, we have: 



(10) 



The proof of Lemma [3] is provided in Appendix IIV-AI 

C. Lattice Gaussian Distribution 

Lattice Gaussian distributions arise from various problems 
in mathematics |25], coding flT] and cryptography i26ll . 
For (7 > and c S M", we define the Gaussian distribution of 
variance a centered at c G M" as 

/t,c(x) = 



V27rcr)" 

for all X G R". For convenience, we write /(j(x) = /cr.o(x). 



We also consider the A-periodic function 



1 



E' 



(11) 



for all X G R". Observe that f„jy restricted to the quotient 
R"/A is a probability density. 

We define the discrete Gaussian distribution over A centered 
at c G R" as the following discrete distribution taking values 
in A G A: 

/.,c(A) 



VA G A, 
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where /cr,c(A) = ^\(=a fcr,cW- Again for convenience, we 
write I?A,CT — DA,a.o- We remark that this definition differs 
slightly from the one in |2Q, where <j is scaled by a constant 
factor \/27r (i.e., s = 

It will be useful to define the discrete Gaussian distribution 
over a coset of A, i.e., the shifted lattice A — c: 



^^a-cctIA - c) 



VA e A. 



/<x.c(A) 

Note the relation £'a-c.(t(A — c) = -DA,cr,c(A), namely, they 
are a shifted version of each other. 

D. Flatness Factor 

The flatness factor of a lattice A quantifies the maximum 
variation of /cr_A(x) for x G M". 

Definition 7 (Flatness factor). For a lattice A and for a 
parameter a, the flatness factor is deflned by: 

^ maXx67i(A) |/.t,a(x) - l/y(A)| 

^ WW) ■ 

In other words, /ct^a(x) is within 1 ± eA(cr) from the 
uniform distribution over Tl{K). The flatness factor may also 
be interpreted as a scaled maximum variation of /ct.a(x), 
as Ex [/o-.a(x)] — 1/V{K) when x is sampled uniformly 
in 7UK). Note that this definition slightly differs from that 
in 1I27II : The present definition also takes into account the 
minimum of /cr,A(x). 

Proposition 1 (Expression of eA(cr)). We have: 

1 



eA(cr) =7a(o-)"6a 



27r(T2 



1 



~ ^^^^2" '■s generalized signal-to-noise ratio 



where ij\{(y) 
(GSNRn 

Proof: Using the Fourier expansion of /cr,A(x) (see, e.g., 
H IH), we obtain, for all x € 7^(A): 



1/(A) 



/<t,a(x) 

E 



(a) 
< 



A'SA* 

E 

A*gA* 



y(A) 

-27r^tT^||A*|| 
-2Tr^o-^||A*|| 



cos(27r(A*,x)) - 1 



- 1 



(b) 



V^(A)/,.a(0) - 1 
F(A) ^ 



(c) y(A) 



AeA 

eA 



1 



27rcr2 



(V27fcr)' 

where the equality in (a) holds if x G A so that (A*,x) is an 
integer for all A* e A*, (b) is due to the Poisson sum formula, 

^Note that this definition of GSNR is slightly different from similar 
definitions in literature, by a factor 27r or e. In particular, Poltyrev defined the 
GSNR as y(A)~/o-2 [2S1, while the volume-to-noise ratio (VNR) is defined 
as y(A)i/(27reo-2) in (ll[ll. 



and (c) follows from the definition of the theta series. The 
result follows. □ 

Remark 2. The equality in (a) implies that the maxima of both 
/(t,a(x) and |/cr,A(x) — 1/F(A)| are reached when x e A. 

Remark 3. From the expression 

.A(a)= e^^'^^-^ll^*"^-!, 
A*eA' 

it is easy to see that ea is a monotonically decreasing function, 
i.e., for CTi < (72, we have eA(o'2) < eA((Ti). 

Remark 4. If A2 is a sublattice of Ai, then eai (ct) < CAa (f). 

Remark 5. The flatness factor is scaling invariant, i.e.. 

In the following, we show that the flatness factor is equiv- 
alent to the notion of smoothing parameter that is commonly 
used in lattice-based cryptography. 



Definition 8 (Smoothing parameter 12611 '). For a lattice A and 
for e > 0, the smoothing parameter rji;{K) is the smallest 
s > such that X]A'eA*\{o} e '^'^ "'^ " ^ £• 

Proposition 2. If ri^{K) — \f^a, then t^io) ~ e. 

Proof From the proof of Proposition [T] we can see that 



A*eA* 



A-eA*\{0} 

for s = \f^a. □ 
Despite the equivalence, the flatness factor has two main 
technical advantages: 

• It allows for a direct characterization by the theta series. 
Note that it is e, not the smoothing parameter, that is of 
more interest to communications. 

• The studies of the smoothing parameter are mostly con- 
cerned with small values of e, while the flatness factor 
can handle both large and small values of e. This is of 
interest in communication applications ll27ll . 

Figure [T| illustrates the flatness factor and lattice Gaussian 
distribution at different GSNRs for lattice 1? . When the GSNR 
is high (Fig. [Ha)), ^kip) is large and the Gaussians are well 
separated, implying reliable decoding is possible; this scenario 
is desired in communications. When the GSNR is low (Fig. 
[TJb)), eA(cr) is small and the distribution is nearly uniform, 
implying reliable decoding is impossible; this scenario is 
desired in security and will be pursued in following sections. 

The flatness factor also gives a bound on the variational 
distance between the Gaussian distribution reduced mod 7?. (A) 
and the uniform distribution [/^(a) on 7?.(A). This result was 
proven in [26] using the smoothing parameter when 7?.(A) is 
the fundamental parallelotope. We give a proof for any 7?,(A), 
for the sake of completeness. 

Proposition 3. For c € R", let /(x) he the density function 
of the distribution over 72.(A) deflned by f^c mod TZ{A). Then 

V(/,C/k(A)) <eA(^7). 
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(a) 7a(ct) =4,eAH = 3. 




(b) 7a{o-) = 0.5,€a(o-) = 0.0075. 



Fig. 1 . Lattice Gaussian distribution and flatness factor for (a) at liigli GSNR wliere e a (o") is lai'ge and the Gaussians ai'e well separated, and (b) at low 
GSNR where ttv^'^) is small and the distribution is nearly uniform. 



Proof: Observe that restricting /^.a to any fundamental 
region 7?.(A) is equivalent to considering the Gaussian distri- 
bution modulo 7?.(A): 

/(x) = ^/,,e(x-A)lK(A)(x) 
ASA 

= X! /'^.^(^ ^ c)1k(a)(x) 

AeA 

= /<t,a(x-c)1k(a) (x). 
Then by definition of eA((T), we find 

/(t)-C/K(A)(t)|dt 

/ct,a(x - c) - 
V{k) max /ff.A(x) - 

xeK(A)-c 



K(A) 



< V^(A) max 

xeK(A) 



1 



V^(A) 
1 



y(A) 



< eA(a), 



because 7?.(A) — c is a fundamental region of A. □ 
By definition, the flatness factor in fact guarantees a stronger 

property: if eA(cr) — >■ 0, then /cr,A(x) converges uniformly to 

the uniform distribution on the fundamental region. 

The following result guarantees the existence of sequences 

of lattices whose flatness factors can respectively vanish or 

explode as n — oo. 

Theorem 2. Vcr > and V(5 > 0, there exists a sequence of 
mod-p lattices A'") such that 



eA(")(o-) < (l + f^) •7a(")(o-)^ 



(12) 



i.e., the flatness factor goes to zero exponentially as long as 
the GSNR satisfies "ff^(n) (a) < 1; oppositely, there also exists 
a sequence of mod-p lattices A'*-"^ such that 



(13) 



i.e., its fiatness factor goes to infinity exponentially as long as 

7a'(") {<^) > 1- 



Proof: Lemma |3] guarantees that for all n, 5 and t there 



exists a(n, (5, r) (and the corresponding p such that a"p" ^ = 
ViK)) such that Ec \QaAr{T-)] <l + 5+ Here C 

V{K)t 2 

is sampled uniformly among all linear (n, k) codes over Zp 
and aA(7 = {av : v e Ap}. Therefore there exists a sequence 
of lattices A*") such that (r) < 1 + 5 H i — -. For 

this sequence. Proposition [T] gives eA(o') < (1 + 5)7a(o')^ 



when we let r 



The second half of the theorem can 

□ 



be proved in a similar fashion 

Theorem |2] shows a phenomenon of "phase transition" for 
the flatness factor, where the boundary is 7a(c) = 1- 



Remark 6. In fact, we can show a concentration result on 
the flatness factor of the ensemble of mod-p lattices, that is, 
most mod-p lattices have a flatness factor concentrating around 
7a(") i'^)^ ■ particular, using the Markov inequality, we see 
that with probability higher than 1 — 2^" over the choice of 
A(»), 

eA(")('^)<(l + '5)-[47A(")M]^, (14) 

Thus, for 7a(") (f) < 1/4, we could have €p^{(j) — > 
exponentially. This is slightly worse than what we have in (12), 
but it holds with very high probability, making the construction 
of the scheme potentially more practical. 

E. Properties of the Flatness Factor 

In this section we collect known properties and further 
derive new properties of lattice Gaussian distributions that will 
be useful in the paper. 

From the definition of the flatness factor and Remark|2l one 
can derive the following result (see also 1261 Lemma 4.4]): 



Lemma 4. For all c 

/.(A) 



and a > 0, we have: 

l-eA{a) 



1 



The following lemma shows that, when the flatness factor of 
the coarse lattice is small, a discrete Gaussian distribution over 
the fine lattice results in almost uniformly distributed cosets. 
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and vice versa. The first half of the lemma is a corollary of 
Lemma |4] (see [2^, Corollary 2.7]), while the second half is 
proven in Appendix II V-B I 

Lemma 5. Let K' <Z K be a pair of nested lattices such 
that ea' (c) < ^- Then 

V(I?A^^,cmodA',[/(A/A')) < 4eA,(CT), 

where f/(A/A') denotes the uniform distribution over the finite 
set A/ A'. Conversely, ifL is uniformly distributed in A/ A' and 
L' is sampled from -Da'.(t,l, then 



V(L + L',i^A,.) < 



2£A'(g) 

l-eA'(cT)' 



The following result shows that the variance per dimension 
of the discrete Gaussian Z3a.<t,c is not too far from cr^ when the 
flatness factor is small. The result follows easily by combining 
Lemma 4.2 and the proof of Lemma 4.3 in |26]. 

Lemma 6. Let L be sampled from the Gaussian distribution 

DA.a,.. Ife = e!y{a/2) < I, then 



|L-c|| 



< 



27re 



1 



From the maximum-entropy principle fsd. Chap. 11], it 
follows that the discrete Gaussian distribution maximizes the 
entropy given the average energy and given the same support 
over a lattice. The following lemma further shows that if 
the flatness factor is small, the entropy rate of a discrete 
Gaussian D\ cr,c is almost equal to the differential entropy 
of a continuous Gaussian of variance cr^, minus i \ogV{A), 
that of a uniform distribution over the fundamental region of 
A. 

Lemma 7 (Entropy of discrete Gaussian). Let L ^ -Da.ct.c- If 
e ^ e\{(T/2) < 1, then the entropy rate of L satisfies 



-H(L) ^ log(V2^CT) - -logF(A) 
n n 



<e', 



where e' — — iHS(J_ 

n 

Proof: By using the identity /cr,c(A) = 

'Ac (A) 



we obtain: 



(V2ircr)" 



':H(L) = -i^##log 



n — /.,c(A) 



/.,c(A) 



-log U^aTf^^^iK) 
n V 

log((^/2^a)"Ac(A)) + 2^^, 



/<x,c(A) ||A-c|| 



1 



E 



|L-c|| 



Due to the definition of the flatness factor, we have 

■l-eA(o-) l + eA(CT)" 



Moreover, Lemma |6] implies 



y(A) 



2nCT2 



E 



|L-c| 



Tie 



Tie 



l-e 2 l-e 



Since e^icr) < ef^{a/2) — e, we have 

-H(L) - log(\/2^cr) - - log ViK) 
n n 

1 ire 

< -max{log(l + £),-log(l-e)} + - . 

n 1 — e 

The proof is completed. □ 
The following lemma by Regev (adapted from 1131 



Claim 3.9]) shows that if the flatness factor is small, the sum 
of a discrete Gaussian and a continuous Gaussian is very close 
to a continuous Gaussian. 

Lemma 8. Let c e R" be any vector, and ao,a- > 0. 
Consider the continuous distribution g on M" obtained by 
adding a continuous Gaussian of variance to a discrete 
Gaussian -Da+co-q-" 

g(x)^ , ,\ , /-o(t)^(x 

teA+c 



/.o(A + c) 



If e ^ 
close to 1: 



< 



Vxe 



then 



9W 



3(x) 



is uniformly 



- 1 



< 4£. 



(15) 



In particular, the distribution g{x) is close to the continuous 



Gaussian density f 



in L distance: 



IV. MOD-A Gaussian Wiretap Channel 

Before considering the Gaussian wiretap channel, we will 
tackle a simpler model where a modulo lattice operation is 
performed at both the legitimate receiver's and eavesdropper's 
end. That is, both the legitimate channel and the eavesdrop- 
per's channel are mod-A channels. The mod-A channel is more 
tractable and captures the essence of the technique based on 
the flatness factor 

A. Channel Model 

Let A^. C Ae C Ab be a nested chain of n-dimensional 
lattices in M" such that 

-l0g|Ab/Ae| -log|Ae/A,| =i?'. 

n n 

We consider the mod- As wiretap channel depicted in Figure |2] 

The input X" belongs to the Voronoi region V(As) (i.e., A^ is 

the shaping lattice), while the outputs Y" and Z" at Bob and 

Eve's end respectively are given by 



Y" = [X" + W^] mod As, 
Z" = [X" +W^'] mod As, 



(16) 



where W^, W" are n-dimensional Gaussian vectors with zero 
mean and variance cr^, respectively. 

As in the classical Gaussian channel, the transmitted code- 
book C must satisfy the average power constraint ([T]). We 
denote this wiretap channel by W(As,(Jb, <Te,P)- Let SNR^ = 



Fig. 2. The mod-As Gaussian wiretap channel. 

P/al and SNRg = P/al be the signal-to-noise ratios (SNR) 
of Bob and Eve, respectively. 

Remark 7. As was shown in fl^L the capacity of a mod-A 
channel (without MMSE filteringjj with noise variance is 
achieved by the uniform distribution on V(A) and is given by 

C(A, a^) = i (log(F(A)) - h{A, a')) , (17) 

where /i(A,(t^) is the differential entropy of the A-aliased 
noise W" — [W"] mod A. Intuitively, the shaping lattice As 
must have a big flatness factor for Bob, otherwise W" will 
tend to a uniform distribution such that the capacity is small. 

However, to the best of our knowledge, determining the 
secrecy capacity of the mod-A wiretap channel (fTSl l is still an 
open problem. Corollary 2 in |33] provides the lower bound 

Cs > C{Ks,(rl)-C{K,,cjl). 

B. Nested Lattice Codes for Binning 

Consider a message set Al„ = {1, . . . , e"^}, and a one- 
to-one function / : A^„ Ab/Ag which associates each 
message m ^ M.n to a coset leader A„i G A;, n V(Ae). Note 
that we make no a priori assumption on the distribution of m. 
In order to encode the message m, Alice selects a random 
lattice point A G Aefl V(As) according to the discrete uniform 
distribution p\_{\) = -^jp- and transmits X" = A + A„,. For 
A e Ae/As, define 

7^(A) = (V(Ae) + A) mod As 

= (V(Ae) + A + As)nV(As). 

The 7?.(A)'s are fundamental regions of Ae and 

U 7^(A)=V(As). (18) 

AGA^/Ae 

Figure |3]illustrates this relation by an example where Ag = A2 
and As = 3A2. 

To satisfy the power constraint, we choose a shaping lattice 
whose second moment per dimension cr^(Ai"^) = P. Under 

^It is known that if an MMSE filter is added before the mod-A operation, 
there exists a sequence of lattices approaching the capacity of the AWGN 
channel IT5[33l . However, MMSE filtering is not considered in this section. 



Fig. 3. The grey area represents the region 7?.(A) defined in (TsJ for the 
lattice pair Ae = A2, As = 3^2, with A = (3, 0). 

the continuous approximation for large constellations (which 
could further be made precise by applying a dither), the 
transmission power will be equal to P. 

C. A Sufficient Condition for Strong Secrecy 

We now apply the continuous version of Csiszar's Lemma 
(Lemma [T]) to derive an upper bound on the amount of leaked 
information on the mod-As wiretap channel ( fT6l ). Note that 
even though we consider a mod-Ag channel, the secrecy 
condition is given in terms of the flatness factor of the 
lattice Ag. 

Theorem 3. Suppose that the flatness factor of Ag is En = 
eAeC^e) on the eavesdropper's channel. Then 

I(M; Z") < 2ennR - 2e„ log(2e„). (19) 

Proof: Let Z" = X" + W". We have, for any message m: 

PZ"|M=m(z) = R(^) ■PZ"|X"(z|^ + Arn) 

AeAenv(Aj 

= H /<t,,a,„+a(z)- 

AeA^nV(A^) 

The output distribution of Eve's channel conditioned on m 
having been sent is then given by 

PZ"|M=m(z) = P(Z"modAs)|M=m(2) 

= ^Y1 lv(A.)(z) ■ /..,a„+a(z) 

AeAe 

= ^ II 1k(a)(z)-/<x„a„+a(z) 

ASA^/A., AeAe 

E l^(A)(-)-^e,A„(z-A) 

AeAe/Aa AeAe 
AeAe/Aa 

where fy^iz) = EagA, 1k(A)(z) ' U..kS^ - A) is the 
density function of a continuous Gaussian with variance 
and center Am reduced modulo the fundamental region TZ(X). 
From Proposition [3] we have that V(/a, C/t^jX)) < eAe(o'e) 
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for all A G Ae/A^. From the decomposition J7y(A3)(z) 
^ ExeAe/A. t^K(A)(z)' we obtain 

V^(PZ"|M=mi t^V(As)) 
1 



< 



E 



AeAe/As 
< eA,(CTe). 



J?,(A) 



/a(z) - '^K(A)(Z 



Recalling the definition of dav in Lemma [T] defining 
gz(z) = CA^(A,)(^)' ^ii'^ using the inequality (|6]l, we find 
that dav < 2e^(Ti) ((Te). Then the mutual information can be 
estimated using Lemma |2] □ 

From Theorem [3] we obtain a sufficient condition for a 
sequence of nested lattice wiretap codes to achieve strong 
secrecy. 

Corollary 1. For any sequence of lattices A^"'' such that 
e^(n) (cTe) — o (;^) fli n — > oo, we have I(M; Z") — > 0. 

In fact. Theorem |2] guarantees the existence of mod-p 
lattices A^"'' whose flatness factor is exponentially small. 
Therefore, if Eve's generalized SNR 7a^ {(Je) is smaller than 1, 
then strong secrecy can be achieved by such lattice codes, and 
in that setup the mutual information will vanish exponentially 
fast. We say that such lattices achieve Ce-secrecy. 

Now, we introduce the notion of secrecy-good lattices. 
Roughly speaking, a lattice is good for secrecy if its flatness 
factor is small. Although e^(„)(cre) = o(i) is sufficient 
to achieve strong secrecy, it is desired in practice that the 
information leakage is exponentially small. Thus, we define 
secrecy-goodness as follows: 

Definition 9 (Secrecy-good). A sequence of lattices A*^"^ is 
secrecy-good // 

eA(")('^) <2^''^"\ V7Aw(a)<l. (20) 

This property is invariant with respect to scaling, i.e., when 
both cr and A are scaled accordingly (cf. Remark |5]l. It is 
slightly more general than (fT2] i of Theorem |2] The purpose is 
to accommodate the lattices whose theta series are close to, 
but not exactly below the Minkowski-Hlawka bound. 

Alternatively, we may employ the smoothing parameter to 
state the secrecy goodness of lattices. From ( fT2b . we have that 
on average the smoothing parameter of mod-p lattices is given 
by 

-{l + 5)V{K)V''- 



Ve 



V{A) 



l/n 



for any fixed e. So, equivalently a sequence of lattices A^"^ 
is secrecy-good if the smoothing parameter is smaller than 
or equal to rye- In other words. A'"' has a threshold of noise 
standard deviation Ue smaller than or equal to '^^"^^^ beyond 



which the amount of information leakage vanishes. 

D. Existence of Good Wiretap Codes from Nested Lattices 

A priori, the secrecy-goodness property established in the 
previous subsection may come at the expense of reliability 
for the legitimate receiver. We will show that this is not the 



case, i.e., that there exists a sequence of nested lattices which 
guarantee both strong secrecy rates and reliability: 

Proposition 4. Given R, R' > 0, there exists a sequence of 



nested lattices A, 
satisfy 



in) 



c Ai"^ c A 



(«) 



n 



whose nesting ratios 

V{Ae) 



Rn^- log 

n V[Ab) 



R 



V{A,) 

when n oo, and such that 

- Ai"-* is quantization and AWGN-good, 

- A^"'' is secrecy-good, 

- A^"' is AWGN-good. 

The proof of Proposition|4]can be found in AppendixHU and 
follows the approach of |34]. The main novelty is the addition 
of the secrecy-goodness property, which requires checking 
that the corresponding condition is compatible with the ones 
introduced in |34]. 

Theorem 4. Let > e ■ a^. Then as n ^ oo, all strong 
secrecy rates R satisfying 



i? < i log 



are achievable using nested lattice codes A^"^ C A^"^ C A["^ 
on the mod-A^r^ wiretap channel W{As,<Tb,(Te, P)- 

Proof: Consider the binning scheme described in Sec- 
tion HV^ where the nested lattices aI"^ C aI"' C a["^ 
are given by Proposition |4] Since A{;"' is AWGN-good, 
without MMSE filtering, a channel coding rate (without se- 
crecy constraint) R + R' < i log SNR;, is achievable at the 
legitimate receiver's end, with the error probability vanishing 
exponentially fast in n lll5ll . 



Since Ae is secrecy-good, by Theorem [2] in order to have 
strong secrecy at the eavesdropper's end, it is sufficient for 
mod-p lattices to have 



7A,(CTe) 



where V{As)~ 



V{A, 



P 



27rea2(Ai"^) because aI"^ 



good and also P = (T'^(Ai"^) under the continuous approxi- 
mation. The above relation implies 



< 1, 



IS quantization- 



R' > ilogSNRe+^. 



(21) 



Consequently, all strong secrecy rates R satisfying 

are achievable on the wiretap channel W(As,ab, (Je,P)- Note 
that positive rates are achievable by the proposed scheme only 



if CT^ > e 



□ 



For high SNR, the strong secrecy rate that can be achieved 
using Proposition |4] is very close to the lower bound on the 
secrecy capacity, to within a half nat. 

Remark 8. In our strong secrecy scheme, the output distri- 
bution of each bin with respect to the eavesdropper's channel 
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approaches the output of the uniform distribution in variational 
distance. That is, each bin is a resolvability code in the 
sense of Han and Verdu [35]. In lilTl llSll it was shown that 
for discrete memoryless channels, resolvabihty-based random 
wiretap codes achieve strong secrecy; we have followed a 
similar approach for the Gaussian channel. 

In the case when the target output distribution is capacity- 
achieving, a necessary condition for the bins to be resolv- 
ability codes is that the bin rate should be greater than the 
eavesdropper's channel capacity. Note that this is consistent 
with the condition d^TT i: if is good for quantization, the 
entropy of the As-aliased noise W" = [W"] mod A^ tends to 
the entropy of a white Gaussian noise with the same variance 



161], and V{Ks) ~ , so the capacity C(As,cr^) of 

the eavesdropper's channel given by equation ( fTTI l tends to 
ilog27reF- \ \og2ne<7l = ilogSNRe. 

Remark 9 (Relation to Poltyrev's setting of infinite constella- 
tions). Poltyrev initiated the study of infinite constellations in 
the presence of Gaussian noise uM- In this setting, although 
the standard channel capacity is meaningless (so he defined 
generalized capacity), the secrecy capacity is finite. This is 
because the secrecy capacity of the Gaussian wiretap channel 
as P oo converges to a finite rate i log(^). Lattice codes 
can not be better than this, so it is an upper bound. Even though 
we considered a mod-A^ channel in this section, we may 
enlarge V{Kg) (i.e., increase R' while fixing R) to approach 
an infinite constellation. Since the upper bound ( fT9] l on the 
mutual information of our proposed scheme is independent of 
V{h.s), the limit exists as V{h.s) — > oo. This corresponds to 
the case of infinite constellations. Further, the achieved secrecy 
rate is only a half nat away from the upper bound. 

V. Gaussian Wiretap Channel 

Although the mod-A channel has led to considerable in- 
sights, there is no reason in real-world applications why the 
eavesdropper would be restricted to use the modulo operation 
in the front end of her receiver In this section, we remove 
this restriction and solve the problem of the Gaussian wiretap 
channel using lattice Gaussian signaling. 

A. Channel Model 



Alice 




Bob 



Fig. 4. The Gaussian wiretap channel. 
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Fig. 5. Lattice Gaussian signaling (circle) over 2Z and its coset 2Z + 
1 for (TO = 2. The profile (dashed) is the underlying continuous Gaussian 
distribution. 

Let Ae C Ah be n-dimensional lattices in K" such that 

-log|Af,/Ae| =R. 
n 

We consider the Gaussian wiretap channel depicted in Fig. |4] 
whose outputs Y" and Z" at Bob and Eve's end respectively 
are given by 

Jy" = X" 
I Z" = X" 



(22) 



where W^, W" are n-dimensional Gaussian vectors with 
zero mean and variance cr^, al respectively. The transmitted 
codebook C must satisfy the average power constraint ([T]|. 
We denote this wiretap channel by W{ab,<Je,P)- Again, let 
SNRb = P/al and SNR^ = P/a^. 



B. Lattice Gaussian Signaling 
Consider a message set M.„ 



{!,..., e" }, and a one- 



to-one function (p : A4n — ^ Ah/Ag which associates each 
message m G to a coset Am G Ab/Ae. One could choose 
the coset leader Am G Af,n72.(Ae) for any fundamental region 
TZ{Ae), not necessarily the Voronoi region V(Ae). This is 
because the signal powers corresponding to different m will 
be nearly the same, as shown in the following. This property 
can result in convenient implementation of the encoder. Note 
again that we make no a priori assumption on the distribution 

of TO. 

In order to encode the message m e Ain, Alice samples XJ^ 
from I?Ae+Am,(To (^s defined in Section UlI-CI) : equivalently, 
Ahce transmits A + Am where A ^ -Da^.o-o.-a,, 
of the variance will be discussed later in this Section. 



The choice 



It is worth mentioning that the distribution Da, 



IS 



always centered at for all bins. Fig.|5]illustrates the proposed 
lattice Gaussian signaling using an example Ae = 2Z for ctq = 
2. It is clear that both I?2Z,cro ™d £'22+1, <to ^re centered at 0, 
sharing the same continuous Gaussian profile. This is key for 
the conditional output distributions corresponding to different 
TO to converge to the same distribution. 
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Lemma |6] implies that if (0-0/2) < 1/2, then 

2^eA^(ao/2) 



E 



IX!: 



< 



l-eA.('To/2) 



which is independent of m. Note that the overall input 
distribution is a mixture of the densities of X" : 



px"(x) = pm(™)px;^ (x). 



(23) 



Since the second moment in zero of a mixture of densities 
is the weighted sum of the second moments in zero of the 
individual densities, we have 



n 



IX*^ 



< 



2^£A^((To/2) ^ 
l-eA.(fTo/2)' 



(24) 



We choose CTq = P in order to satisfy the average power 
constraint ([T]i asymptotically (as eA^(o'o/2) — > 0). For con- 
venience, let pb = ctq/cjI and pe ~ (j^ja^. It holds that 
Pfc SNRfo and SNR^ if eA,(CTo/2) -J> 0. 

C. Achieving Strong Secrecy 

We will now show that under suitable hypotheses, the condi- 
tional output distributions at Eve's end converge in variational 
distance to the same continuous Gaussian distribution, thereby 
achieving strong secrecy. 

Recall that Eve's channel transition probability is given by 

PZ"|X"(z|Am + A) = /CTe,A„+A(z)- 

Let fje = _£a£i=. Lemma [8] implies that if eA (cte) < ^, 
then: 

V (pz'.|M(-|m), /y^l^) < 4eA. (^e) ■ 

An upper bound on the amount of leaked information then 
follows directly from Lemma |2] 

Theorem 5. Suppose that the wiretap coding scheme de- 
scribed above is employed on the Gaussian wiretap chan- 
nel ( 1221) . and let En — CA^ (o'e)- Assume that En < \ for 
all n. Then the mutual information between the confidential 
message and the eavesdropper's signal is bounded as follows: 



[I(M;Z") < 8e„ni?- 8e„log8£„ 



(25) 



From Theorem |5] we obtain a sufficient condition for a 
sequence of nested lattice wiretap codes to achieve strong 
secrecy: 

Corollary 2. For any sequence of lattices A^"^ such 
that e^(n) (iTe) = o (i) as n 00, we have I(M, Z") — )■ 0. 

Note that o-g is smaller than both ae and (Tq. The first 
inequality (Tg < (Te means that 

• Because of the monotonicity of the flatness factor (Re- 
mark |3]l, achieving strong secrecy on the Gaussian wire- 
tap channel is a bit more demanding than that on the 
mod-A channel; 

• Yet they are equally demanding at high SNR, since (Tg — > 

(Te as (Tq ^ OO. 



The second inequality (Je < ao requires that CA^ivP) 
be small, which means that a minimum power P is needed 
(specifically, \/P should be larger than the smoothing param- 
eter of Ae). 

Remark 10. Note that, similarly to the mod-A case (Re- 
mark[8]l each bin of our strong secrecy scheme may be viewed 
as a resolvability code, and thus the bin rate must necessarily 
be above Eve's channel capacity. Indeed, the bin rate can be 
chosen to be quite close to this optimal value: note that for 
En in Theorem |5] to vanish, it suffices that 



7A, (ffe) 



V^(Ae) 



2/n 



< 1 



(26) 



for the mod-p lattices of the first part of Theorem |2] By 
Proposition |7] when e — e^^ ("■0/2) < 1, the entropy rate 
of each bin satisfies 

1 



R' > log(V27reao) - - log V{Ae) - e' 
n 

1 / 22 
>log(y2^ao)--log 27r4"''' 



'0 



— E 



1 



On 



log 



- log (1 + pe 



1 

■-2- 



(Tn as e 







as 



0. 



where e' is defined in Proposition |7] Since P 
(by dsn), we have pe SNRe. Also, e' - 
To make e — > 0, we only need an extra sufficient condition 
7Ae (o'o/2) < 1 for the mod-p lattices of Theorem |2] 



D. Achieving Reliability 

Now we show Bob can reliably decode the confidential mes- 
sage by using MMSE lattice decoding. Consider the decoding 
scheme for Bob where he first decodes to the fine lattice Af,, 
then applies the mod-Ae operation to recover the confidential 
message. We note that the distribution of Alice's signal can 
be approximated by Da^.ctq, when the confidential message 
is uniformly distributed. More precisely, since Alice transmits 
X ~ Da^+a„,(to^ by Lemma|5] the density px" of x is close to 
the discrete Gaussian distribution over A^, if \,n E A^/Ae is 
uniformly distributed. In fact, we have V(px" , DA^,cro) 1^ iTtj 
when E = EA, (cto) < |- 

We will derive the maximum-a-posteriori (MAP) decoding 
rule for decoding to Af,, assuming a discrete Gaussian distri- 
bution -DAb.CTo over A;,. Since the lattice points are not equally 
probable a priori in the lattice Gaussian signaling, MAP 
decoding is not the same as standard maximum-likelihood 
(ML) decoding. 

Proposition 5 (Equivalence between MAP decoding and 
MMSE lattice decoding). Let x ~ Df^^^^^ be the input signal- 
ing of an AWGN channel where the noise variance is a^. Then 
MAP decoding is equivalent to Euclidean lattice decoding 
of Af, using a renormalized metric that is asymptotically close 
to the MMSE metric. 
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Proof: Bob receives y = x+w;,. Thus the MAP decoding 
metric is given by 

^(x,y) 



cx P(y|x)P(x) 




oc exp 



y X 



Therefore, 



arg maxP(x|y) 



arg mm 

xSAb 



arg mm 1 1 ay 

xGAb 



(27) 



is known, thanks to (l24l) . to be asymptoti- 



where a — 



cally close to the MMSE coefficient 



□ 



Next we prove Bob's rehabihty for any secrecy rate close 
to the secrecy capacity. We use the a-renormalized decoding 
metric dZTl ). even if the confidential message is not necessarily 
uniformly distributed. In fact, the following proofs hold for any 
fixed message index m. Also note that no dither is required to 
achieve reliability. Indeed, as we will see, Regev's regularity 
lemma (Lemma [8]l makes the dither unnecessary. This is 
because the equivalent noise will be asymptotically Gaussian. 

Suppose Alice transmits message m, and Bob receives 
y = x + w;, = A + A„i + Wf, (with A i'A^^cm.-A™)- From 
Proposition |5] Bob computes 

Am = [QAi, (ay)] mod Ae. 

Recall the following properties of the mod A and quantiza- 
tion operations. For all a, b e M", we have 

[[a] mod Ae + b] mod Ag = [a + b] mod A^ (28) 
[gA,(a)]modAe [Qa, ([a] mod A^)] mod A^. (29) 

Using these properties, the output of Bob's decoder can be 
rewritten as 

Am = [Qai, (x + (a - 1) X + awfc)] mod Ae 

— [Qt^b ([x + (a — 1) X + awf,] mod Ae)] mod Ae. 

Observe that since A e Ag, we have 

[x + (a ~ 1) X + ckWb] mod Ae 
= [Am + (a — 1) X + awb] mod Ae 
= [Am + ■w'b(m)] mod Ae 

where we have defined the equivalent noise 

Wb(m) = (a — 1) X + awfc. 

Therefore 

Am = [Qhb (Am + W6(to))] mod Ae. 

Let Pvv"(m) density of the equivalent noise Wb(TO). 

Since x ~ Z?Ac+a,„,(to ™d W(, is Gaussian, Lemma [8] implies 
that for any fixed m, and randomizing over A, Pvynj-^-) is very 



close to a continuous Gaussian distribution. More precisely, 
applying Lemma |8] with standard deviations {a — 1)(Jo and 
aab, and defining at = JJa^^Tf^al^ra^ = ^Sa£L=, 

we have 



Pw^-m(w)-/*.(w) <4e"/a,(w) Vwe 



(30) 



assuming that (recall pb — o^ja^) 



(l-Q)Ae 



(1 - a)aQ 



= ^A, 



< 



Thus, if e" — ^ 0, the equivalent noise is essentially statistically 
independent from to, in the sense that it is very close to the 
distribution /^^ (w) that does not involve to at all. 

Theorem 6. Suppose SNRb > 4e 



SNRf, • SNRe > 1. Then ;/ A^"-* is a sequence of AWGN-good 
lattices, and aI"^ is a sequence of secrecy-good lattices, any 
strong secrecy rate R satisfying 



1' OT: > and 



i? < i log(l + SNRfa) - i log(l + SNRe) - i 



(31) 



is achievable on the Gaussian wiretap channel W{ab, (Te, P) 
using the discrete Gaussian signaling and MMSE- 
renormalized Euclidean lattice decoding. 

Proof The decoding error probability (to) correspond- 
ing to the message m is bounded from above as 



Pe{m) < P{Qa, (Am + Wb(m)) ^ X„,} 

= P{wb(TO) i V{Ab)}. 

Since in particular 

Pw^(m)(w) < (1 + 4£")/*.(w) Vw e M", 
we find that 

P{w6(to) i V(Ab)} < (1 + 4£") • P{Wb ^ V(A;,)} 

where Wf, is i.i.d. Gaussian with variance a^. Note that while 
the equivalent noise Wb(m) in general depends on m, the 
resulting bound on the error probability is independent of to. 

From AWGN-goodness of Ab, it follows that the decoding 
error probability P^ tends to exponentially fast if e" is 
bounded by a constant and if 



lAb (o-b) 



\2/7l 



> e. 



(32) 



On the other hand, since Ag is secrecy-good. Theorem |5] 
implies that a sufficient condition for the mod-p lattices of 
Theorem |2] to achieve strong secrecy is 



7A, (ffe) 



\2/r. 



2na, 



< 1. 



(33) 



Combining ( [32] i and (|33] l, we have that strong secrecy 
rates R satisfying 



n V(Ab) 2 \l + Pe 



(34) 
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are achievable. 

Two extra conditions on the flatness factors are required. 
First, to make SNRf, and — ^ SNRe, it suffices that 

eAe(o'o/2) — > (by (|24]|). This condition can be satisfied by 
mod-p lattices if 



7A, 



\2/n 



< 1, 



2n^ 



which together with 



limits the secrecy rate to 



(35) 



The second condition eA 



_2Q_ 



for the equivalent 



noise to be asymptotically Gaussian (by dSOl l) can be satisfied 
by mod-p lattices if 



7Ae 



2 In 



< 1, 



i+i/pt 

which together with (|32| | limits the secrecy rate to 

R < ilogpfc - 



(36) 



Now, combining ([34l)-([36l) and considering a positive se- 
crecy rate, we have 



(37) 



when SNRf, > 4e-l and }+g|^p'' > e. Note that condition dSST l 
has been absorbed in ( |37] ). Further, when SNR^ SNRg > 1, 
the first term is smaller. Therefore, the theorem is proven. 

□ 

Remark 11. It can be checked that, in our framework, conven- 
tional (non-renormalized) minimum-distance lattice decoding 
can only achieve strong secrecy rate up to 

< i log (SNRfc) - i log (1 + SNRe) - ^. 

This is because it requires 

, , T/(A,)2/" 

rather than Therefore, MAP decoding or MMSE 

estimation allows to gain a constant 1 within the logarithm 
of the first term. 



Remark 12. The existence of good wiretap codes for the 
Gaussian channel follows from Proposition!!] In fact, this case 
is less demanding than the mod-A^ channel there since no 
shaping lattice is needed. We only need a sequence of nested 



lattices A^"^ C A^"' where Ae"' is secrecy-good (with respect 
to CTe rather than a^) and a["^ is AWGN-good. 



,(») 



(n 



VI. Discussion 

In this paper, we have studied semantic security over the 
Gaussian wiretap channel using lattice codes. The flatness 
factor serves as a new lattice parameter to measure information 
leakage in this setting. It can tell whether a particular lattice is 
good or not for secrecy coding, and consequently provides a 
design criterion of wiretap lattice codes. While we have proved 
the existence of secrecy-good mod-p lattices, the explicit 
construction of practical secrecy-good lattices warrants an 
investigation. Further work along the line of secrecy gain ifioll 
may provide some secrecy-good unimodular lattices. 

The half-nat gap to the secrecy capacity is intriguing. It 
would be interesting to find out what happens in between, 
and to further explore the relation between various lattice 
parameters. 
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Appendix I 

Proof of Csiszar's Lemma for Continuous 
Channels 

Proof: Note that in spite of the ambiguous notation, here 
pz and Pz\M=m are densities on R", while pM and Pm|z=z are 
probability mass functions on A^„. We have 

dav = ^ PM{m) / \pz\M=m{z) - Pz{z)\ dz 

= X! / |pm|z=z(™)pz(z) -pm(to)pz(z)| dz 
= / X! |pm|z=z(™) -PM(m)|pz(z)dz 

V(pm,Pm|z=z)'^A' 
VM(z)dyLt, 



where Vm(z) = V(pm,Pm|z=z) and dfi = pz{z)dz is the 
probability measure associated to Z. 
By using Lemma 2.7 in [22], we obtain 



-H(M|Z = z) < VM(z)log 



\Mn\ 

Vm(z)' 



Multiplying by pz{z) and taking the integral, we find 

I(M;Z) =H(M)-H(M|Z) 



< 



VM(z)log 



\Mr 



-dfi 



Vm(z) 
^m(z) log|X„|d/i- 



Vm(z) logVM(z)d^. 
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From Jensen's inequality, using the fact that the function 1 1-^ 
t log t is convex, we have that 



Vm(z) logVM(z)d^ 



> I / VM(z)d^)log( / VM(z)dAi 



This completes the proof. 



□ 



Appendix II 
Lattices that are good for coding 

We recall some characterizations of "good" lattices for 
channel codin g an d shaping that have been proposed in the 
hterature jlsL 124, l28l |361 . A sequence of lattices is good 
for covering if its Voronoi region is asymptotically close to 
a sphere: 

Definition 10 (Rogers-good). Given a lattice A, let rcov(A) 
denote its covering radius and Toff (A) its effective radius (that 
is, the radius of a sphere having the same volume as the 
Voronoi region of K). A sequence of lattices A^") is called 



''cov(A) _ 



1. 



Rogers-good or covering-good // lim„^oo r,ff(A) 

Definition 11 (Quantization-good). A sequence of lat- 
tices A^"^ is quantization-good the normalized second 
moment G(A^"-') tends to as n tends to infinity. 

Let us also introduce the notion of lattices which are good 
for the Gaussian channel without power constraint: 

Definition 12 (AWGN-good). Given e > and an n- 
dimensional lattice A, let W" be an i.i.d. Gaussian random 
vector of variance such that PISN"" ^ V(A)} = e. Consider 

the corresponding generalized SNR 7a (ce) = ^'^^^Jj " ■ The 
sequence of lattices A^") is AWGN-good if for all e € (0, 1), 

lim 7a(„) (cTj) = e 

n— fcjo 

and if for a fixed generalized SNR greater than e, the quantity 

P{W" ^ V(A)} 
vanishes exponentially fast in n. 

Observe that all that the previous properties are all invariant 
by scaling of the lattice. 

Erez and Zamir fl3\ showed that lattice coding and decod- 
ing can achieve the capacity of the Gaussian channel. More 
precisely, one can prove the existence of a sequence of nested 
lattices aI"^ C A^"' such that 

- the shaping lattice A^"^ is simultaneously Rogers-good, 
quantization-good and AWGN-good, 

- the fine lattice A^"^ is AWGN-good. 

When a random dither at the transmitter and an MMSE 
filter at the receiver are used, the Voronoi signal constellation 
A^"''nV(Ai"'') approaches the capacity of the mod-Ai"'' Gaus- 
sian channel, and consequently the capacity of the Gaussian 
channel, when n is large (see [15]). 

'^Our definition is the same as in fl^ [37ll . except for the normalization 
factor 2iT. 



Appendix III 
Existence of good nested lattices: 
Proof of Proposition^ 

Let C denote the set of Fp-linear (n, k) codes, and let C 
be chosen uniformly at random from C. Consider the corre- 
sponding Construction-A random lattice 



P 



By definition of the effective radius, we have: 

r (i + 1) _ 

7r3roff(As)" 

We know from fh^. Theorem 5] that with high probability, 
the lattice A^ is Rogers, quantization and AWGN-good if the 
following properties are satisfied: 

(i) 3/3 < i : fc < /3n, 



(iii) Vn : Tmin < reff(As) < 2rmin, where 



1 



(reff(A,))2 



In the previous formula, Ep denotes the Poltyrev exponent 

i[(A*-l)-logA*] 1<M<2 



2 < M < 4 (38) 
Ai > 4 



where /i = ^^^^^-^^ . Property (iii) implies that the fundamen- 
tal volume is bounded by 

r(| + i) < ''^^'^^ r(f + 1) ' ^'^^ 

which tends to faster than exponentially, since Euler's 
Gamma function grows faster than any exponential. Given 
(n, fc) with fc satisfying (i) and (ii), consider fc) prime 
satisfying the condition ( |39] |. (The existence of such a prime 
number has been proven in [34].) 

As explained in ll34ll (end of Section III), in order to 
use As for power-constrained shaping it is necessary to scale 
it differently: we consider As = apA^ — BgZ" scaled so 
that its second moment satisfies o'^(As) — P. As we have 
noted in Appendix [III such a scaling does not affect Rogers, 
quantization and AWGN-goodness. 

Since A^ is quantization-good, its normalized second mo 
ment satisfies G{As) 
Therefore 



P 



1 

27re 



G(As 
For large n, we have 

V{A,)= a"p"-'' 



(27reP)^. 



(40) 



Since grows superexponentially, so does p" and we 
thus have a ^ and ap — > oo as n — > oo. If we 

^Actually, the Poltyrev exponent is defined as a function of /i = 
y(A)t /o-^ in [28] and as a function of V{A)T^ /{2neal) in (Hi. 
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set a in such a way that V{As) is constant for a — >■ 
and p oo (but may depend on n), then for each n we have 
a Minkowski-Hlawka type bound on the average behaviour 
of the theta series Oa^ (t) (see Lemma [3]). Fix (5„ > 0. For 
all n, there exists p{n,k,Sn,T) such that for every prime 
p > p{n, fc, (5„, r) and the corresponding a. 



IE[eA.(r)] < 1 



(41) 



The following lemma, proven in Appendix |IV| gives a more 
precise bound on the rate of convergence of the theta series to 
the Minkowski-Hlawka bound and guarantees that this choice 
of p is compatible with ( [39] l. 

Lemma 9. There exists a sequence Sn such that for 
sufficiently large n, we have p{n, k) > p{n, k, (5„, y). 

Having defined the shaping lattice, we proceed with a nested 
code construction inspired by Section VII in LI 5,1 . Let Cf, be 
chosen uniformly in the ensemble Cb of random Unear (n, fcf,) 
codes over ¥„_, and denote by Ab its generator matrix. We 



know from (iSTJ that if ^ 



0, then the lattice 

-Cb + T 

q 



is AWGN-good with high probability. Let k^ < kb, and let Ag 
be the matrix whose columns are the first ke columns of A;,. 
This matrix generates an (n, fee) linear code Ce over F^; 
note that averaging over the possible choices for Cb, this 
construction results in C^ being a uniformly chosen {n, ki,,q) 
linear code. We can consider the corresponding Construction- 
A lattice 

Ae - +Z" 



Clearly, we have As C C Af,. As remarked in Il37ll . there 
are many choices for q and ke , kb which ensure the properties 



— log 


V{As) 




n 


V{Ae) 


n 


— log 


V{Ae) 


_ kb 


n 


ViAb) 


n 



\ogq R', 



(42) 



For example we can choose q to be the closest prime to n log n 
and define /ce = [nR' (log q)- ^ \, kb = [n{R + R') (log q)-^ \. 
Consider the expectation over over the sets C and Cg 
of (n, k,p) and {n, fcg, q) linear codes. By Lemma[T] we have: 



lim Ec,Ce [^aA^)] 

n— ^oo 

= lim 7A,(cr)^Ec 



(43) 



Let /(x) = e-"^"''"", V = vmodq, and C* = Ce \ {0}. We 
have 



- y 



\ v=0 



B, 



vGC* 



B, 



E 



/ 



B,v 



-E 



/(Bsv) 

qfc. - 1 
9" - 1 



1 



- 1 



E / 



B,v^ 

q , 



q" 



r E 

vei,"\( 



/(B.v/g) 



0a.(t) + 



1 



g" - 1 



In the last equation we have used the equality QaAif) 

eA(aV). 

We can now rewrite ( l43T l as 



lim 7a,(ct)^ 



0A.(r) 



-e 



As 



1 



where r = ^ . Using the property dTIT i. this can be bounded 
by 



lim 7a^ (it) 2 

+ lim 7Ae(o') 
< lim 7A^ (a 



(27ra2 



^(A.) 



Sn ^ 

(27raV) 
^(A.) 



'7A,(cr)^ 



- (5,1 



7Ae (O-)' 



= lim 7Ae(cr) 2 (1 + 

n— >C30 

recalling that e"^™ = q'^^ (see (|42]|). Therefore Ag is secrecy- 
good. 

Further, we can show the majority of such lattices are 
secrecy-good. Fix < c < i and let S = 7Ae(a') ^ (i+'^.i) ^ 
Then using Markov's inequality we get 

P{.A.(a)>5}<^%^<C 

Therefore if jA^ic) < 1, the sequence Ae'"-* is secrecy-good 
with probability greater than 1 — c > i. 

To conclude, for n large enough there exists a set of measure 
going to 1 in the ensemble C x Cb such that A^ is Ro gers , 
quantization and AWGN-good and Af, is AWGN-good flSj], 
and a set of measure greater than 1/2 in the same ensemble 
such that Ae is secrecy-good. The intersection of these sets 
being non-empty, the existence of a good sequence of nested 
lattices follows as stated. 

Appendix IV 
Proofs of technical lemmas 

A. Proof of Lemma 12 

Let /(v) = e-'^^ll^ll' for v e M" and fixed r e R+, 
and denote by C the set of all nonzero codewords of C. 
Following [13t] . we have 



^E E 



CeC vGaAc 

= -y 



veZ":v=0 



^ /(av)+ /(«^) 

,veZ":v=0 veZ":vGC' 

p'' - I 



- E /(-) + ^ E /(-) 



(44) 
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= E + E /w- E /w 

(45) 

where ( l44b is due to the balancedness of C. We have 

/(v) = eapz"(r)^l (46) 

for any r > 0, since ap ^ oo under the conditions given. 
Moreover, 



(47) 



as a — >■ 0, p — > oo and a^p^^^ = V \s fixed. To see this, con- 
sider any sequence — > and define /^(v) = / ^ V 
then use Lebesgue's dominated convergence theorem, tne 
functions fi being dominated by g(v) which is equal to 1 

if V e [-^j^]" ^ind equal to e^''^^^=i('''''~^) otherwise. 
Thus, we have 



(48) 



^E E /(v)-i + ^-/ /(v)dv. 

Since /jg„ /(v)dv = r^"/^, we obtain ( fTOl i. 

Remark 13. Although we are primarily concerned with the 
theta series, the average behavior ( |48] ) is more general and 
may be of independent interest. In fact, (l48T l holds as long as 
the function /(•) satisfies conditions (|46] | and (l47T l. 



B. Proof of the second part of Lemma |5] 

Let e = €f^i{(j). From Lemma |4] we have that VA G A/A', 

/..a(A') 
/<x,o(A') 

Therefore, for all A G A/ A': 

|A/A'|./.,a(A') 



1 + 



1 - £ 1 + £ 



1 + e' 1 - e 



where 5 = X^agA/A' /<t,a(A')- As a consequence: 

|£'a,^(A + A') -Pl+l'(A+a')I 
= /.(A + A') ^ 



^ /.(A + AQ 
< r max 



|A/A'|/„j(A') 

1 + e 



5 



1 - 



1-e 



1 



1 + e 



2e 



i?A,.(A + A') 



□ 



C. Proof of Lemma |9| 

We study more explicitly the rate of convergence, by going 
back to the expression (l45T l in the proof of Lemma [3] We can 
rewrite it as 

1-^) (e..(aVr))+^(e..(aV)) 



= 1- 



p^ -I 



p" 



From the bound 



i) (e.(aVr))" + ^(ez(aV))' 



< ez(r) = l + 2^e- 



2>1 



1 



< 1 + 2 / e"^^ = 1 + / e"^^ 



dz 



and recalling that a"p" = we find that 



^ (e^aV))" < ^ ( 1 + 



1 



V \ a 



1 



dv + o 



1 



while the lower bound is simply 



P 

Similarly, we have 



V 



1 < (ez(aVT))" < 1 + I e-y^'dz + o ( ^ 

It is not hard to see that the sequence k) defined by 
ensures (more than exponentially fast) convergence. □ 
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